\subsection{Parser}
\label{sec:design_parser}

The parser is implemented using python.  What the parser actually does is nothing but transform the original log to the format we want.  Regular expression is natively supported by python so we use that to parse logs.  The log is stored as a dictionary like \{`path': `/home/aegiryy/e.txt', `exe': `vim', `uid': 1003, ...\}, and it is this form in which the daemon process will store encrypted extended attributes to file. 

The parser is highly dependent on the $auditd$ log format because it directly extracts useful information from original logs.  So, it likely will not work under all versions of $auditd$.  Our implementation was tested on Ubuntu 12.04.

